The DHS/FBI Report on Russian Hacking was a Predictable Failure

Russian cyber espionage against American political targets has dominated the news in recent months, intensifying last week with President Barack Obama’s announcement of sanctions against Russia.

Cyber espionage is, of course, nothing new. But using data collected in cyber espionage operations to interfere in the U.S. election process on behalf of one of the candidates — one who appears to be smitten with Russian President Vladimir Putin — is a brazen and unprecedented move that deserves a firm political response from the U.S. government on behalf of the public interest.

The expulsion of 35 Russian diplomats, the shutting down of two Russian-owned estates the US claims were used for intelligence activities, and the targeted financial sanctions on Russian individuals and organizations all show the Obama administration understands at least part of what such a firm response should entail.

Unfortunately, the White House was unable to produce the most critical part for the credibility of their action: that to be politically effective in today’s Internet age, such a response also needs to be backed up with solid evidence. Here, the administration failed miserably, but also predictably. And it’s not necessarily because it doesn’t have the evidence. Instead, the U.S. government simply failed to present it.

The DHS/FBI Joint Analysis Report on Russian information operations, which the administration refers to as “Grizzly Steppe,” is a disappointing and counterproductive document. The problems with the report are numerous and have been well documented by professionals in the computer security area. But the culture of secrecy and the lack of independent sources of verification that gave rise to it are far more pervasive.

Among the problems in the report: Instead of clearly mapping out the evidence linking the cyber espionage operations to Russia, the report provides generic charts on tradecraft and phishing techniques that apply to just about every cyber espionage campaign I and others have ever studied.

At the centre of the report (page 4) is a table that unhelpfully lumps together, without explanation, several different names attributed to Russian-associated cyber espionage campaigns alongside names of malicious software and exploits that have little or no direct link to Russia.

An appendix includes a spreadsheet meant to provide “Indicators of Compromise,” long lists of technical details supposedly associated with the espionage campaign. These include IP addresses, malware signatures, and command and control infrastructure, which network defenders are supposed to use to ward off Russian-backed espionage, and which would ostensibly be used to “fingerprint” Russia as the culprit. Unfortunately, many of these are out of date or irrelevant, or are used by multiple cyber espionage campaigns and not ones exclusively associated with Russia. To give just one example, journalist Micah Lee analyzed the IP addresses contained in the appendix, and found over 40 percent of them are exit nodes of the anonymizer Tor (meaning anyone in the world using Tor could be associated with these IP addresses). It is a disservice to both the general public and expert researchers to not clarify the degrees of confidence associated with each indicator. Without proper categorization or context, the indicators satisfy neither aim of helping network defenders or proving attribution.

The report’s shortcomings have led to predictable results. President-elect Donald Trump and his “truthiness” supporters can continue to peddle inanities, like “no computer is safe” and anyone, even “someone sitting on their bed that weighs 400 pounds” could be responsible for the breaches.

Meanwhile, Russian leadership can continue to smirk and shrug it all off, biding their time until January 20th.

There has even been a false alarm about Russian “hacking” of a Vermont utility grid based on what turned out to be a faulty supposition made on the basis of one of the IP addresses in the report. No surprise there, given the inclusion of Tor exit nodes and other irrelevant IP addresses among the indicators. Poorly presented data will produce poor results. I’ve already received several media requests asking for my comments about the significance of Canadian IP addresses listed in the report, wondering if Canadian institutions were victims of Russian cyber espionage too. Sigh…

Journalist Glenn Greenwald has likened the U.S. intelligence community’s assertions, and the press’ willingness to go along with them, to dubious claims from the administration of President George W. Bush concerning alleged Iraqi weapons of mass destruction. I believe that analogy is only partially appropriate.

Yes, when a government makes decisions with such huge ramifications and risks, the public should expect its government to produce credible information on behalf of its case. Faith-based conclusions based on partial evidence and anonymous leaks are no basis to make informed public policy.

But unlike the Bush administration’s ruse leading up to the invasion of Iraq, it’s unlikely the Obama administration is manufacturing a case against Russia out of thin air. I know no one in the cyber security community who does not actually believe that cyber espionage operators involved in the hack of the DNC are indeed connected in some way to Russian intelligence.

In this case, rather than manufacture evidence, the U.S. government couldn’t organize itself to present it convincingly. The real problem here is not political subterfuge. It is, rather, symptomatic of a larger syndrome of how we as a society deal with cyber security issues today.

The NSA and other intelligence agencies have extraordinary capabilities that provide unparalleled visibility into digital networks, and especially the networks of their adversaries like Russia. Having spent many months closely examining the Snowden disclosures I can at least partially attest to their prowess in this regard. The data to which they have access would undoubtedly show precisely who did what, when, and how.

Unfortunately, we in the general public will most likely never see that data. This week, the most senior members of the Intelligence Community will testify on Capitol Hill about the Russian hacking, but they may reserve some or most of what they know for closed-door classified sessions in which the public cannot take part. A more detailed report on the intelligence is supposed to be published before Jan. 20, but much of the information is still expected to remain classified. Part of the reason is legitimate: giving up the evidence could blow sources and methods that are expensive and time-consuming to prepare and nurture, and could even put lives at risk.

But this only raises the question: Why is it that we have to depend on secretive spy agencies for such important public policy matters as evidence concerning the security and integrity of an election process in the first place? If the Executive Branch cannot clearly communicate evidence of such a critical national security issue to the public, then we have nothing to rely on but their word.

What about the private sector? The DHS/FBI report claims to build on the work of companies like Crowdstrike, who was hired by the Democratic National Committee to investigate the original hacks. It was mostly on the basis of Crowdstrike’s assessments that the initial reporting of Russian attribution was made.

Yet cyber security companies, like the intelligence community, are also loathe to widely reveal what they know — but for different reasons. As businesses first and foremost, they need to sell information to paying clients. Giving it all away to the general public would undermine their revenue stream and assist industry competitors. While private companies often publish more than government agencies, and do increasingly include useful indicators of compromise in their reports, the best material is still saved exclusively for those who can pay. For the rest of us, all we have to go on are glossy brochures, fancy codenames, partial glimpses, and sales pitches. That’s not enough.

I have heard some say the report was “rushed out” by the administration in order to deliver a blow to the Russians before Trump took office. While tying Trump’s hands may be an admirable motive, I find it hard to swallow the idea that the U.S. defense and intelligence community, were so rushed that they were incapable of producing anything but such a badly constructed report.

There’s no reason why the government can’t quickly reveal evidence about cyber espionage efforts that can help potential victims defend themselves. For example, Citizen Lab (of which I’m the director) recently found evidence that an Israeli cyber warfare company, NSO Group, had been hired by the United Arab Emirates to surreptitiously spy on the iPhone of a human rights defender. From the time we were shared the initial malicious SMS messages contained in the iPhone (August 11th, 2016) to the time our report was released (August 25th), only 14 days elapsed. In that time, we made a responsible disclosure to Apple, who issued critical security patches for iOS, OSX, and Safari for hundreds of millions of Apple users. I am proud to say our report is extremely detailed in both means and methods, and includes detailed and useful indicators of compromise for all to review. All of this was accomplished by only two Citizen Lab researchers who enlisted a small group of people from the security company, Lookout Inc, to help with technical analysis on the zero day and implant.

This all took place in just two weeks.

The U.S. defense and intelligence community, including their private sector partners, by contrast, has thousands of staff, billions of dollars in resources, the most advanced capabilities, and many months of time.

“Rushed” is no excuse for shoddy work. No, the real reason lies elsewhere — in the inability of the government and the private sector to produce unvarnished evidence to inform the public about what they fully know. And that’s the problem.

The reality is that we are entrusting vital public policy matters on cyber security primarily to defense and intelligence agencies of nation-states and the companies that serve them, with little to no independent source of verification of what they produce for the general public. As long as we do so, reports like the one from DHS/FBI and anonymous leaks by “intelligence officials” are what we will get.

There are alternatives. We need to somehow shift our collective mindsets and start treating the security of cyberspace for what it really has become: not just a national security issue or a business venture, but also as a global public health issue. We need to empower civilian institutions in multiple countries with resources and capabilities to do independent research on threats to cyberspace in the public interest regardless of boundaries, and regardless of whose national or commercial interests are concerned.

To be sure, it would be naive, unrealistic, and counterproductive to imply national security agencies and the private sector counterparts have no role to play in cyber security. And we do need to incentivize them to be more transparent about data they can share with the public, and more rigorous in terms of what they do present to make it useful to others. But to rely on them exclusively for critical information vital to the public interest is also naive, unrealistic, and counterproductive.

As long as we set ourselves up this way, we set ourselves up for such failures.